Changes

* Revision control. Like this wiki, the ability to retrieve the history of any given database object, and see what changes were made, when, and by whom.

* Gramps hardening. Once we expose Gramps online, even in a supposedly "read-only" mode, and let anyone out there submit inputs to it, we open ourselves to lots of well-known exploit techniques, like any other web application out there. We have to protect the server capacity resources (CPU, data, and bandwidth), server assets (data - so that we don't have, e.g., an option in the web app that allows to leak data from the DB or the server's filesystem), clients (so that we don't make it easier to attack somebody else or extract data from a client's web browser in a multi-staged attack), other servers (so that, for instance, some webapp command doesn't cause our webapp to make a DoS attack against another machine), etc. Some of the threats might be mitigated by the appropriate Django mechanisms, but I haven't looked deeply. Last, but not the least, we need regression testing assuring that the security guarantees set forward by the features in the bullets above actually hold (e.g., that only the administrator may change the server settings and provision other user accounts).

There are surely plenty of other possible capabilities, but these are what come to mind right now as being most important for preserving the privacy and integrity of the data.